From b7fa264749ae4b8f01341e4a1392a76440a3611d Mon Sep 17 00:00:00 2001
From: ameerj <52414509+ameerj@users.noreply.github.com>
Date: Thu, 15 Jul 2021 00:51:50 -0400
Subject: vic: Fix dimension compuation of YUV frames

Fixes out of bound memory crashes in Mario Golf
---
 src/video_core/command_classes/vic.cpp | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

(limited to 'src/video_core/command_classes/vic.cpp')

diff --git a/src/video_core/command_classes/vic.cpp b/src/video_core/command_classes/vic.cpp
index 0a8b82f2b..43ac20728 100644
--- a/src/video_core/command_classes/vic.cpp
+++ b/src/video_core/command_classes/vic.cpp
@@ -119,28 +119,27 @@ void Vic::Execute() {
 
         const std::size_t surface_width = config.surface_width_minus1 + 1;
         const std::size_t surface_height = config.surface_height_minus1 + 1;
-        const std::size_t half_width = surface_width / 2;
-        const std::size_t half_height = config.surface_height_minus1 / 2;
+        const auto frame_width = std::min(surface_width, static_cast<size_t>(frame->width));
+        const auto frame_height = std::min(surface_height, static_cast<size_t>(frame->height));
+        const std::size_t half_width = frame_width / 2;
+        const std::size_t half_height = frame_height / 2;
         const std::size_t aligned_width = (surface_width + 0xff) & ~0xff;
 
         const auto* luma_ptr = frame->data[0];
         const auto* chroma_b_ptr = frame->data[1];
         const auto* chroma_r_ptr = frame->data[2];
-        const auto stride = frame->linesize[0];
-        const auto half_stride = frame->linesize[1];
+        const auto stride = static_cast<size_t>(frame->linesize[0]);
+        const auto half_stride = static_cast<size_t>(frame->linesize[1]);
 
         luma_buffer.resize(aligned_width * surface_height);
-        chroma_buffer.resize(aligned_width * half_height);
+        chroma_buffer.resize(aligned_width * surface_height / 2);
 
         // Populate luma buffer
-        for (std::size_t y = 0; y < surface_height - 1; ++y) {
+        for (std::size_t y = 0; y < frame_height; ++y) {
             const std::size_t src = y * stride;
             const std::size_t dst = y * aligned_width;
-
-            const std::size_t size = surface_width;
-
-            for (std::size_t offset = 0; offset < size; ++offset) {
-                luma_buffer[dst + offset] = luma_ptr[src + offset];
+            for (std::size_t x = 0; x < frame_width; ++x) {
+                luma_buffer[dst + x] = luma_ptr[src + x];
             }
         }
         gpu.MemoryManager().WriteBlock(output_surface_luma_address, luma_buffer.data(),
-- 
cgit v1.2.3